South Korean banks and broadcasters took phish bait in cyberattack

More details of the cyberattack on multiple banks and media companies in South Korea on Wednesday have emerged, suggesting that at least part of the attack was launched through a phishing campaign against employees of the companies. According to a report from Trend Micro's security lab, the "wiper" malware that struck at least six different companies was delivered disguised as a document in an e-mail.

The attachment was first noticed by e-mail scanners on March 18, the day before the attack was triggered. The e-mail was purportedly from a bank; Trend Micro's Deep Discovery threat scanning software recognized the message as coming from a host that had been used to distribute malware in the past.

The attachment, disguised as a document, was actually the installer for the "wiper" malware. It also carried PuTTY SSH and SCP clients, and a bash script designed to be used in an attack against Unix servers that the target machines had connection profiles for. When activated, the dropper attempted to create SSH sessions to Unix hosts with root privileges and erase key directories, as Ars reported yesterday.

It's still unclear if any damage was done to Unix systems, but the wiper disabled a number of PCs at the targeted companies. If the attack affected developers or webmasters at the companies, it's possible that Web servers were affected by the Unix SSH attack, bringing mobile and Web banking applications down. Nevertheless, it's unclear what the cause for the network interruptions that accompanied the malware attack were caused by at this time.